The server team members now have their hands full closing Java vulnerabilities (and others), and the desktop team is equally busy. So overall, this was a good outcome. Once those holes are closed, I'm thinking of taking another step: basing a server-hardening standard off vulnerability scans. Until now, server hardening has been done based on a checklist I wrote, which was built from a list of best practices and recommendations found on the Web. With a vulnerability scanner to find weaknesses in my company's servers, coupled with a set of configuration and system changes, I'm thinking I should be able to reduce the overall attack surface of my servers. This is basically a feedback process, iterated through scanning and remediation, and that seems to me like a better process than the blind, one-way approach in use today. And that seems like a pretty good outcome from what was originally a search for a quick fix to a high-risk vulnerability.
This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at .
To join in the discussions about security, go to .
in Computerworld's Security Topic Center.